System requirements

Before you download and install Splunk Enterprise, read this topic to learn about which computing environments Splunk supports. Refer to the download page for the latest version to download. See the release notes for details on known and resolved issues.

For a discussion of hardware planning for deployment, see the new Capacity Planning manual.

Supported server hardware architectures

Splunk offers support for 32 and 64-bit architectures on some platforms. See the download page for details.

Supported Operating Systems

Review the following tables when you research the system requirements. Splunk Enterprise availability has changed from previous versions.

The tables list the computing platforms for which Splunk Enterprise is available. The first table lists availability for *nix operating systems, and the second table lists availability for Windows operating systems.

Determine whether Splunk Enterprise is available for your platform.

1. Find the operating system on which you want to install Splunk Enterprise in the left column.

2. Read across the columns to find the computing architecture in the center column that matches your environment.

The tables show availability for two types of Splunk software, as shown in the two columns on the right: Splunk Enterprise/Trial and Splunk Universal Forwarder. A '✔' in the box that intersects your computing platform and the Splunk software type means that Splunk software is available for that platform. An empty box means that Splunk is not available for that platform. If you do not see your platform or architecture listed, Splunk is not available for that platform and architecture.

Some boxes have other characters. See the bottom of each table to find out what the additional characters represent.

Unix operating systems

Operating system

Architecture

Enterprise

Free

Trial

Universal Forwarder

Solaris 10 and 11*

x86 (64-bit)

✔

✔

✔

✔

SPARC

✔

✔

✔

✔

x86 (32-bit)

*

*

*

*

Linux, 2.6+

x86 (64-bit)

✔

✔

✔

✔

x86 (32-bit)

✔

✔

✔

✔

Linux, 3.0+

x86 (64-bit)

✔

✔

✔

✔

x86 (32-bit)

✔

✔

✔

✔

PowerLinux, 2.6+

PowerPC

✔

zLinux, 2.6+

s390x

✔

FreeBSD 7**

x86 (32-bit)

✔

FreeBSD 8

x86 (64-bit)

✔

✔

✔

✔

x86 (32-bit)

✔

FreeBSD 9

x86 (64-bit)

✔

✔

✔

✔

Mac OS X 10.8, 10.9, and 10.10

Intel

✔

✔

✔

AIX 6.1 and 7.1

PowerPC

✔

✔

✔

✔

HP/UX† 11i v2 and 11i v3

Itanium

✔

* Splunk Enterprise is available and supported on Solaris 10. Solaris 11 does not support 32-bit Splunk Enterprise installs.
** Read the notes on FreeBSD 7 compatibility below.
† You must use gnu tar to unpack the HP/UX installation archive.

Windows operating systems

The table lists the Windows computing platforms that Splunk Enterprise is available for.

Operating system

Architecture

Enterprise

Free

Trial

Universal Forwarder

Windows Server 2003 and Server 2003 R2

x86 (64-bit)

✔

x86 (32-bit)

✔

Windows Server 2008

x86 (64-bit)

✔

✔

✔

✔

x86 (32-bit)

***

***

***

✔

Windows Server 2008 R2, Server 2012, and Server 2012 R2

x86 (64-bit)

✔

✔

✔

✔

Windows 7

x86 (64-bit)

✔

✔

✔

x86 (32-bit)

***

***

✔

Windows 8

x86 (64-bit)

✔

✔

✔

x86 (32-bit)

***

***

✔

Windows 8.1

x86 (64-bit)

✔

✔

✔

x86 (32-bit)

***

***

✔

*** This version of Splunk Enterprise is supported but is not recommended on this platform and architecture.

Operating system notes and additional information

Windows

Certain parts of Splunk Enterprise on Windows require elevated user permissions to function properly. For information about what is required, see the following topics:

FreeBSD 7.x

To run Splunk 6.x on 32-bit FreeBSD 7.x, install the compat6x libraries. Splunk Support supplies best effort support for users running on FreeBSD 7.x.
See "Install Splunk on FreeBSD 7" in the Community Wiki.

Deprecated operating systems and features

As we version the Splunk product, we gradually deprecate support of older operating systems. See "Deprecated features" in the Release Notes for information on which platforms and features have been deprecated or removed entirely.

Creating and editing configuration files on non-UTF-8 OSes

Splunk Enterprise expects configuration files to be in ASCII or Universal Character Set Transformation Format-8-bit (UTF-8) format. If you edit or create a configuration file on an OS that does not use UTF-8 character set encoding, then ensure that the editor you are using is configured to save in ASCII/UTF-8.

IPv6 platform support

All Splunk-supported OS platforms are supported for use with IPv6 configurations except for the following:

Supported browsers

Splunk Enterprise supports the following browsers:

Firefox ESR (24.2) and latest

Internet Explorer 9, 10, and 11

Safari (latest)

Chrome (latest)

Make sure that you have the latest version of Adobe Flash installed to render any charts that use options not supported by the JSChart module. For information, see "About JSChart" in Developing Views and Apps for Splunk Web.

Note Do not use Internet Explorer in compatibility mode when you access Splunk Web. Splunk Web warns you that your browser is not supported. If you must use IE in compatibility mode for other applications, you must use a supported browser for Splunk Web.
Internet Explorer version 9 does not support file uploads. Use IE version 10 or later.

Recommended hardware

If you are performing a comprehensive evaluation of Splunk Enterprise for production deployment, use hardware typical of your production environment. This hardware should meet or exceed the recommended hardware capacity specifications below.

Splunk Enterprise and virtual machines

If you run Splunk Enterprise in a virtual machine (VM) on any platform, performance degrades. This is because virtualization works by abstracting the hardware on a system into resource pools from which VMs defined on the system draw as needed. Splunk Enterprise needs sustained access to a number of resources, particularly disk I/O, for indexing operations. Running Splunk in a VM or alongside other VMs can cause reduced indexing and search performance.

RAID 0 configurations do not provide fault-tolerance. Be certain that a RAID 0 configuration meets your data reliability needs before deploying a Splunk indexer on a system configured with RAID 0.

All configurations other than universal and light forwarder instances require at least the recommended hardware configuration.

The minimum supported hardware guidelines are designed for personal use of Splunk. The requirements for Splunk in a production environment are significantly higher.

Important: For all installations, including forwarders, you must have a minimum of 5GB of hard disk space available in addition to the space required for any indexes. See "Estimate your storage requirements" in the Capacity Planning Manual for more information.

Hardware requirements for universal and light forwarders

Recommended

Dual-core 1.5GHz+ processor, 1GB+ RAM

Minimum

1.0Ghz processor, 512MB RAM

Supported file systems

Platform

File systems

Linux

ext2/3/4, reiser3, XFS, NFS 3/4

Solaris

UFS, ZFS, VXFS, NFS 3/4

FreeBSD

FFS, UFS, NFS 3/4, ZFS

Mac OS X

HFS, NFS 3/4

AIX

JFS, JFS2, NFS 3/4

HP-UX

VXFS, NFS 3/4

Windows

NTFS, FAT32

Note: If you run Splunk Enterprise on a file system that is not listed, Splunk Enterprise might run a startup utility named locktest to test the viability of a file system for running Splunk Enterprise. Locktest is a program that tests the start up process. If locktest runs and fails, then the file system is not suitable for running Splunk Enterprise.

Considerations regarding file descriptor limits (FDs) on *nix systems

Usually, the default file descriptor limit (controlled by the ulimit -n command on a *nix-based OS) is 1024. Your Splunk administrator determines the correct level, but it should be at least 8192. Even if Splunk Enterprise allocates a single file descriptor for each of the activities, it is easy to see how a few hundred files being monitored, a few hundred forwarders sending data, and a handful of very active users on top of reading and writing to and from the datastore can exhaust the default setting.

The more tasks your Splunk Enterprise instance is doing, the more FDs it needs. You should increase the ulimit value if you start to see your instance run into problems with low FD limits.

Considerations regarding Network File System (NFS)

When you use Network File System (NFS) as a storage medium for Splunk indexing, consider all of the ramifications of file level storage.

Use block level storage rather than file level storage for indexing your data.

In environments with reliable, high-bandwidth low-latency links, or with vendors that provide high-availability, clustered network storage, NFS can be an appropriate choice. However, customers who choose this strategy should work with their hardware vendor to confirm that the storage platform they choose performs to the specification in terms of both performance and data integrity.

If you use NFS, be aware of the following issues:

Splunk Enterprise does not support "soft" NFS mounts. These are mounts that cause a program attempting a file operation on the mount to report an error and continue in case of a failure.

Only "hard" NFS mounts (mounts where the client continues to attempt to contact the server in case of a failure) are reliable with Splunk Enterprise.

Do not disable attribute caching. If you have other applications that require disabling or reducing attribute caching, then you must provide Splunk Enterprise with a separate mount with attribute caching enabled.

Do not use NFS mounts over a wide area network (WAN). Doing so causes performance issues and can lead to data loss.

Considerations regarding solid state drives

Solid state drives (SSDs) deliver significant performance gains over conventional hard drives for Splunk in "rare" searches - searches that request small sets of results over large swaths of data - when used in combination with bloom filters. They also deliver performance gains with concurrent searches overall.

When you use a CIFS resource for storage, make sure that you configure the resource for write permissions for the user that connects to the resource at both the file and share levels. If you use a third-party storage device, ensure that its implementation of CIFS is compatible with the implementation that your Splunk Enterprise instance runs as a client.

Do not attempt to index data to a mapped network drive on Windows (for example "Y:\" mapped to an external share.) Splunk Enterprise disables any index it encounters with a non-physical drive letter.